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Abstract 
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, To clarify what is involved in linking models to instruments, we adapt 



X 



quantum mechanics to define models that display explicitly the points at which 
they can be linked to statistics of results of the use of instruments. Extending 



o 

o 
o 

i an earlier proof that linking models to instruments takes guesswork, we show: 

M-i. 

I Any model of cryptographic instruments can be enveloped, nonuniquely, by 

^ , 

^ , another model that expresses conditions of instruments that must be met if 

the first model is to fit a set of measured outcomes. As a result, model a of 
key distribution can be enveloped in various ways to reveal alternative models 
that Eve can try to implement, in confiict with model a and its promise of 
security. A different enveloping model can help Alice and Bob by expressing 
necessities of synchronization that they manipulate to improve their detection 
of eavesdropping. Finally we show that models based on pre-quantum physics 
are also open to envelopment. 

PACS numbers: 03.67.Dd, 03.65.Bz, 89.70.+C 
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I. INTRODUCTION 



A designer Diana and the users Alice and Bob of cryptographic transmitting and receiving 
instruments, as well as the eavesdropper Eve, all employ various equations to model how 
results of the use of these instruments depend on what the participants do. Between a 
model as a set of equations and instruments made of glass and silicon there is a great 
divide. In choosing a model to analyze instruments or to be employed in a feedback loop 
where the model helps to operate instruments, one makes a link across this divide. While 
one can interpret measured results as refuting some candidate models, we recently proved 
that neither they nor logic can uniquely determine a quantum model: linking a model to 
instruments requires something beyond logic and measured data, something well named by 
the word guess 

Proofs of the security of quantum key distribution invoke inner products of quantum 
state vectors, and these depend on the model chosen. Here we prove that any given set of 
outcomes from a transmitter and receiver used to distribute a key can be fitted by many 
quantum-mechanical models which differ greatly among themselves in their inner products 
and hence in their implications for the security of a key. On one hand, this encourages 
Eve to invent snooping instruments even though she knows Alice and Bob have a proof of 
security, and, on the other hand, our findings encourage discovery and repair of "hidden 
security loopholes" [@] arising because their transmitting and receiving instruments "violate 
... assumptions [that underlie their model] in ways not immediately apparent to Alice and 
Bob" i. 

To underpin an examination of the linking of models to instruments, in Section II we 
adapt quantum mechanics to define models that display explicitly the points at which they 
can be linked to statistics of results of the use of instruments. The models to be intro- 
duced express "what the participants do" in terms of commands sent to the instruments 
via Classical, digital Process-control Computers (CPC's) that control them and that also 
record results from them; we call these CPC-oriented models. Section III extends an earlier 
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proof that linking CPC-oriented models to instruments takes guesswork: For any quantum- 
mechanical model of transmitting and receiving instruments there is another model (not 
unique) that expresses constraints in using the instruments that must be met if the first 
model is to fit a set of measured outcomes. We say the first model is enveloped by the 
second. 

In Section IV we prove that for any quantum model a of key distribution, there exists 
an enveloping model (3 that matches a with respect to measurements contemplated in a 
but that has smaller inner products and allows for other measurements, which, if Eve can 
implement them, allow undetected eavesdropping, in conflict with model a and its promise 
of security. For this reason, no proof can relieve Alice and Bob of the burden of making 
judgments about what models to link to their instruments, something implicit in but 
here made vivid. 

They can, however, put the same burden of judgment on Eve, for she too must use 
models. In Section V model a is enveloped by another model that expresses necessities of 
synchronization that Alice and Bob can manipulate to improve their detection of eavesdrop- 
ping. In Section VI we indicate how models based on pre-quantum physics are also open to 
envelopment. 

In summary, we find that instruments modeled are used in a context of circumstances 
and intentions which no model can fully describe. In creating an enveloping model, one 
formally expresses (rightly or wrongly) some hitherto unexpressed feature of this context. 
As will be proved, there is no end of opportunities to assert features of context, because any 
enveloping model can in turn be enveloped. 

II. LINKING INSTRUMENTS TO MODELS 

The central issue is the linking of uses of instruments to models. By model we mean a 
set of equations written in mathematical language, primarily quantum mechanics, with the 
intent of predicting statistics of the results of using instruments (such as transmitters and 
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receivers made of silicon and glass fibers etc.). Some of the equations of the set act as a set 
of assumptions from which the rest of the equations can be derived. Quantum mechanics 
provides a mathematical language in which to write down a wide variety of models, con- 
strained by a grammar of logical constraints, so within a model conclusions can be proved to 
follow from assumptions. Because different sets of assumptions generate different quantum- 
mechanical models, quantum mechanics is a language, as distinct from a particular model 
written in that language; it has more room in it for diverse models that accord with any 
given set of experimental results than has been appreciated. 

Although, as we shall see, instruments cannot be discussed independently of models, we 
separate them as best we can by the trick supposing the instruments are operated via digital 
computers. This will allow us to express "how the instruments are used" in terms of com- 
mands sent to the instruments by a Classical, digital Process-control Computer (CPC) that 
controls them and that also records results from them [||. Instruments swallow commands 
and give back recordable results. 

As discussed in parsing a stream of data from instruments into a sequence of measure- 
ment occurrences, each with a quantum-mechanical outcome, cannot be determined from the 
data alone, but takes extra hypotheses, indeed a kind of stripped-down model, determined in 
part by guesswork, which we call a parsing rule. Parsing requires guesswork, both to assert 
the statistical independence of one segment of data from another, and to select criteria by 
which to weed out artifacts in the data attributed to instrumental imperfections, such as 
false and missed detections. Using a parsing rule, one parses a stream of data from the 
instruments into a sequence of measurement occurrences, assumed statistically independent, 
and one formats the data segment for each occurrence into (1) how the instruments were 
configured and (2) an outcome from the instruments. The parsing rule makes no statement 
about values of probabilities of outcomes, but does assert that such values exist; it provides 
a range of outcomes that are possible to record as well as set of possible command sequences. 
In this way it limits the models that can be tested by measured data that it parses. 
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To view the linking of instruments to models we postulate an analytic frame in which (a) 
instruments write via some parsing rule what we and other scientists interpret as numerical 
outcomes, (b) they write these numbers in memories of CPC's, and (c) CPC's send commands 
to some or all of the instruments. We view each set-up of instruments in terms of records 
in CPC memories of commands sent to the instruments by CPC's and of outcomes from 
the instruments. Notice that we make no assumption that an instrument works as the 
manufacturer says it does, nor that it works the way any model compatible with the parsing 
rule says it does, nor that it functions statistically the same on Tuesday as it does on Monday. 
While such assumptions are made in the models to be discussed, the analytic frame provides 
room to consider cases in which the instruments write numbers that conflict with any or all 
models. 

We define a CPC-oriented model of a set-up of instruments to be a model that expresses 
conditional probabilities of outcomes given commands to the instruments. For instance, a 
model a to be introduced in Section IV will express a conditional probability of outcome j 
given a command 6^ from Alice's CPC to her transmitter and a command hE from Eve's CPC 
to her eavesdropping receiver, written PrQ,(j|6yi, hE)- The subscript marks it as an assertion 
within model a, leaving room to consider a different model (i that asserts a different numerical 

value VYp{3\hAM) 7^ Pr,O>A,&E).0 

The same CPC's that control the instruments house in their memories CPC-oriented 
models and programs designed using them. These models and model-derived programs 
are used off-line to simulate the instruments; they are used on-line, not to simulate the 
instruments, but to help operate them, for example in a feedback loop of Bob's receiver, 
as discussed in Section V. By considering both the instruments and the models as they are 
reflected in files of a CPC, we conceptually separate (as well as possible) these CPC-oriented 



^This extends our earlier analysis of instruments controlled by a single CPC programmed according 
to some model [j|J^ to deal with a setup of instruments controlled by several CPC's. 
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models from the instruments modeled while allowing for interaction between models and 
instruments. 

Like any set of equations, a CPC-oriented model can be copied, so copies of the same 
model can be used concurrently in different places for the same or different purposes. What 
can be done with a model or a program depends on where it is, for example on whether it is 
written in Alice's CPC or in Eve's. Because the models used in programming one CPC need 
not be the same as those used in programming another, several CPC's controlling interacting 
instruments can work from different models concurrently. Where and when and how a CPC- 
oriented model is used is traceable in the execution sequences of the CPC's in which copies of 
the model are housed, so the CPC frame allows analysis of various of CPC-oriented models 
and model-derived programs used to operate instruments that interact. Some or all of the 
instruments can be modeled by more than one model, and one model can conflict with 
another. Some models model other models: a component of Eve's model can be her model 
a' of Ahce and Bob's model a; this tells her (rightly or wrongly) how Ahce and Bob, using 
their model a, will decide on their security, distinct from how Eve decides using her model 
/3. Conversely, Ahce and Bob's model a contains as a component a model their model of 
Eve's model /3. There is no necessary stopping place in modehng models. 

If a model a invokes all the assumptions of a model /? and possibly more, we say model a 
specializes model or that model /? generalizes model a (meaning it has fewer assumptions). 
This is the first of several types of relations among models that will be used to express inter- 
actions between the invention and the modeling of transmitting and receiving instruments 
used in cryptographic key distribution. 

III. MODELS OF COMMUNICATION 

Ignoring eavesdropping for the moment, we focus on Alice communicating to Bob, as 
described quantum mechanically. Consider Alice transmitting m quantum bits of raw data 
to Bob, with Alice using one CPC to control her transmitter and Bob using another to 
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control his receiver. They want to jointly implement a CPC-oriented model 7 of quantum 
communication, which says at each of a sequence of m occurrences, Alice causes her CPC to 
command the preparation of a state vector, choosing u for or v for 1 at random. Her CPC 
records her choices of or 1. Bob's receiver has, say, light detectors, one interpreted in model 
7 as detecting u to indicate Alice's choice of and another detecting v to indicate Alice's 
transmission of 1. Bob's CPC records the decisions of his receiver, described as deciding on 
or 1 or, if neither detector fires, 'inconclusive' 
Model 7 is composed of: 

1. a set of command strings that Alice's CPC can send to generate states, here just 
the set {0, 1}; a set of commands that Bob's CPC can send to his receiver, which 
in this case is empty; 

2. a Hilbert space T-Cy = {i.e., the vector space of complex dimension 2); 

3. a function for states as functions of commands (here only Alice's commands), : 

—>■ Tiy such that 1^7(0)) = u and \vy{l)) = v; 

4. a set of possible outcomes of Bob's measurement, indexed by j ranging over natural 
numbers or some subset of natural numbers, here for [^^(O)), 1 for [^^(l)), and 2 for 
'inconclusive'; 

5. a function from Bob's commands to positive operator valued measures (POVM's) on 
TCy, here simphfied to the single POVM consisting of a set of detection operators 
M^{j) with 

Ej My{j) = 1, 

(yj)M^U) > and My{j) = M^U)^ . 

Model 7 asserts the probability of outcome j given a command 6^ G A^ for state preparation 
to be 



7 



Pra(j|feA) = MbA)\M^{j)\v{bA)). (1) 

In relating model 7 to results in his CPC, Bob thinks of his CPC as recording detection 
results of Alice's m-bit transmission in a sequence of m memory segments, each of which can 
hold two bits, coded 00 for Alice's '0', 01 for Alice's '1', and 10 for 'inconclusive'. We will 
refer to these two-bit memory segments in connection with timing, to which we now turn. 

A. Need for synchronization 

Model 7 is an armchair view of Bob's receiver that lacks the detail necessary to design it. 
To design a receiver that works according to model 7, Diana must provide for synchronizing 
it to Alice's transmitter within some allowed leeway. For this Diana envelops model 7 
with a more detailed model 6 that expresses the conditions of synchronization that must 
be maintained between Alice's transmitter and Bob's receiver if model 7 is to accord the 
records of Alice's commands and Bob's detections. Diana provides for Bob's receiver to 
meet these conditions by adjusting the rate of Bob's clock in response to measured results 
interpreted in model 6. She designs this feedback loop by choosing a classical-control model 
e, to be discussed shortly. Without the gaps in synchronization defined by model 6 and their 
containment within the allowed leeway in accord with model e, Bob's CPC, driven by its 
clock, would mistime its routing of a detector signal to the k-th memory segment, resulting 
in an erroneous record.^ 

To express the effect on reception of the drift of the clock of Bob's CPC relative to Alice's 
clock, Diana (having learned from Einstein) defines synchrony in terms of measurements 



^Although for a short transmission line of a fixed delay, Bob and Alice can use the same clock to 
drive their CPC's synchronously, but for variable delay, e.g. if Bob is in motion, he needs his own 
clock, independently adjustable 0. And even where the single-clock design works, Bob's receiver 
must adjust its phase. 
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made of Alice's signal arriving at Bob's clock; however, in using a quantum model of the 
measurement of that signal, she must cope with quantum indeterminacy, which limits Bob's 
receiver's knowledge of arrival times to what it can deduce via Bayes rule from outcomes. 
To produce suitable outcomes, Diana invents a model S, which has a Hilbert space Hs, of 
dimension higher than that of 7i^, along with states \vs{bA, s)) that are functions not only 
of Alice's commands in As = A^, but also of a skew s of Bob's clock relative to an imagined 
ideally synchronized clock. Diana designs Bob's receiver to measure the k-th signal from 
Alice when the clock of Bob's CPC reads tk. When we imagine Bob's clock reads tk as the 
ideal clock reads — s^, we say Bob's clock is fast by a skew s^. The state measured by 
Bob's receiver when his clock reads tk is then \vs{bA,Sk)) — Us{—Sk)\vs{bA,0)), where Us is 
a unitary-operator-valued function of Sk by which Diana expresses skew. 

In order to allow different possible outcomes for different values of the skew at the 
reception of the A;-th of the m signals from Alice, model S must assume more possible 
outcomes than the 0, 1, and 'inconclusive' of model 7, so the POVM Ms has more than the 
three detection operators of My. When restricted to skews of magnitude smaller than 
some allowed bound sq, model S projects onto model 7 as follows: 

1. \vs{b,Sk)) 1-^ Iv-yib)), and 

2. the detection operators of Ms partition into three sets, such that the sum of operators 
for each set maps to a single detection operator Mj{j) with respect to probabilities of 
detection of j. 

But outcomes in model 6 tell more than these projections. At each signal reception, Bob's 
receiver records in his CPC not only a decision among 0, 1, and 'inconclusive' but also 
finer distinction from which his CPC estimates its clock skew (via Bayes rule and a prior 
probability distribution that Diana assumes for skew) . In order to record the outcomes that 
help estimate skew and guide clock-rate adjustment, Bob's receiver, designed using model 
5, needs a memory segment for the k-th reception of more than two bits. Hence, the record 
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previously discussed in connection with model 7 is extracted from a larger record required 
by model 5.i 

To contain skews within the tolerable bound sq, Diana chooses a classical model e by 
which to design a program that, when executed by Bob's CPC, responds to estimated skews 
by sending a command from the CPC to set a 'faster-slower' lever on the clock that drives 
that CPC; the command is a value of a control function that takes as its argument a 
computer file consisting of skews calculated from recently recorded detection results and 
recently issued commands to the clock itself. Although the quantum state to be controlled 
has a history that Bob's CPC can only estimate via Bayes rule from outcomes, the design 
of a control function is within the discipline of classical feedback design.^ If model S is 
implemented and if model e succeeds in generating steering commands that are adequate, 
the skews are held within the bound ±So so that Bob's detection results fulfill the intention 
of model 7 and, additionally, allow his CPC to make skew estimates necessary to guide clock 
adjustment. 

Remark 1: Models, such as 7 and 5, express desires and obstacles more flexibly than do 
inputs used for this purpose in control theory [^Q. Alice expresses what she wants by 
choosing model 7 altogether, not just by an 'input' of or 1 to her transmitter. Because 
Diana wants Alice and Bob's instruments to work in accord with Alice's model 7, in spite 
of the obstacle of clock drift, she chooses models 6 and its classical companion, model e. 

Remark 2: The number of bits that arrive at Bob's receiver is model-dependent: whether 
a detection result for a signal is seen as two bits (ignoring skew) or as more bits (allowing 



^Must there exist a quantum mechanical model that accords with experimental results of measure- 
ments of a skew-dependent state? Yes, because, any digital record can be interpreted (nonuniquely) 
as a record of quantum outcomes, and for any set of outcomes with their relative frequencies as 
functions of commands, many quantum mechanical models have probabilities that exactly fit [Q]. 

^For discussion of Bayes rule in a non-quantum context of control, see Q. 
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for skew) depends on whether the record of the signal detection is interpreted using model 
7 or model 6. 

Recall the freedom always present in quantum mechanical modeling to shift the boundary 
between the 'system' modeled and the measuring instrument, for instance by counting more 



of the measuring instrument as part of the system |10]. In view of this freedom, we conclude 



Remark 3: Every quantum mechanical model is contingent in the sense that it is projected 
onto by a restriction of an enveloping model that shows other possibilities. 



IV. MODELS OF VULNERABILITY TO EAVESDROPPING 

Widely discussed quantum-mechanical models of key distribution assert a nonzero inner 
product between quantum state vectors that Alice communicates to Bob, with the conse- 
quence that eavesdropping almost always leaves tracks in the form of errors that Bob and 
Alice can detect. If Alice's transmitter, Bob's receiver, and Eve's snooping instruments can 
be counted on to work in accord with any of these models, then Alice can send Bob a key se- 
cure against undetected eavesdropping. The models can all be translated into CPC-oriented 
models to make visible the points at which they can be linked to results of the use of instru- 
ments, and it is to the credit of some of these models that relative frequencies of experimental 
results accord reasonably well with conditional probabilities of outcomes derived from the 
states and operators posited by the models. But we are sloppy if we forget that quantum 
states are terms in models, rather than model-independent features of instruments. 

In linking a CPC-oriented model a to instruments, one identifies commands in model a 
with commands sent from CPC's to the instruments, for example commands b^, bs, and 6^ 
from CPC's controlled by Alice, Bob, and Eve, respectively; one also parses results of the 
use of instruments in response to commands as quantum-mechanical outcomes, so that one 
can compare relative frequencies of these results to the conditional probabilities asserted by 
model a, e.g. PYa{j\bA, bs, bs) as the conditional probability of a quantum outcome j given 

11 



commands Ba, bB, and bE- (The outcome j can be seen as several fragments, for example 
one for Bob and one for Eve, allowing for analysis of mutual information between Eve and 
Bob, etc.) It is to be noticed that this procedure sets up a divide that runs through the CPC 
between state vectors as terms in models, on one side, and on the other side the commands 
to and results from instruments. A large part of the story told here amounts to noticing this 
divide. 

Given a CPC-oriented model a of quantum key distribution that shows Alice and Bob 
to be secure against eavesdropping, one can envelop model a in a model /3 that introduces 
a range of conditions; under some conditions model jS projects to model a, agreeing with it, 
while under other conditions model /3 leads to drastically different conclusions in conflict with 
those of model a. Among these are conditions under which Eve can learn the key without 
leaving tracks that Alice and Bob can detect. This envelopment is possible because model 
(3 can invoke states and their inner products that differ from those of model a while still 
agreeing with model a with respect to probabilities of outcomes for commands considered 
in model a. 

For example, we envelop model a with a model (3 expressing conditions in which Alice's 
transmitter leaks light into a channel accessible to Eve, but that is unknown to Alice and 
Bob (and is not expressed in model a 0). There are two cases to consider, corresponding 
to two types of models. Deferring models of Eve's use of a probe, we start with the simpler 
case of a model that segments the transmission of signals from Alice to Bob into (1) Alice's 
transmission to Eve, followed by (2) Eve's transmission to Bob. For such segmented trans- 
mission, suppose model a assumes that (1) Alice chooses commands from a set = {0, 1}, 
with command 6a generating a state vector \va{bA)) G Ti-a, and (2) Eve commands her lis- 
tening instruments with a command 6^ G to make a measurement expressed by a POVM 
MaipE) which has a detection operator MaipE'^jE) acting on TYq, associated with outcome 
jE- Model a implies that the conditional probability of Eve obtaining the outcome je given 
her command bE and Alice's command bA is 
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Pra{jE\bA,bE) = {Va{bA)\Ma{bE; jE)\Va{bA)) ■ 



(2) 



Proposition 1 Given any such (segmented) model a with inner product (^0(0)1^0,(1)) and 
given any < r < 1, there is a model f3 that gives the same conditional probabilities of Eve's 
outcomes for all her commands belonging to E^, so 

[WbA e bE e Eo,)PTp{jE\bA, bE) = PTa{jE\bA, bE) (3) 

while 

\{vmMl))\=r\MO)Km. (4) 



Proof. Motivated by the idea that, unknown to Alice, her transmitter signal might generate 
an additional "leakage" into an unintended spurious channel that Eve reads, we construct 
the following enveloping model P which assumes: 

1. the same set of commands for Alice, so Af^ = A^, 

2. a larger Hilbert space Ti/j = Tiieak ® 'Ha in which Alice produces vectors \vfs{bA)) = 

\u!f3{bA)) ® |Vo(6a)), with \wp{bA)) G Hleak] 

3. a larger set of commands for Eve, Ej^ = E^U -Eextra (disjoint union); 

4. a POVM-valued function of Eve's commands to her measuring instruments, with de- 
tection operators 



Mp{bE]jE) = < 



-I- leak 

(g) Ma{bE\3E) for all bE e 
Eve's choice of POVM to distinguish \vp{fS)) (5) 

from \vp{l)) libE e £^extra- 



According to model /3, if Eve chooses any measurement command of Ea, Eq. @) holds. But 
model /3 speaks not of the vectors 1^0(6^)) but of other vectors having an inner product of 
magnitude 
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l(^/3(0)|t;,(l))| = |(«;(0)|«;(l))||M0)|^„(l))|. (6) 

The unit vectors \w{0)) and \w{l)) can be specified at will, so that the factor r =^ 
|(u'(0)|tL'(l))| can be chosen to be as small as one pleases. □ 

If she can find and gain access to a channel carrying leakage states, Eve implements a 
model (] with a value of r < 1, in which case she uses an optimal POVM to distinguish 
Alice's I's and O's, with fewer 'inconclusives' than Alice and Bob think possible, and hence 
with less impact on Bob's error rate. If Eve can do this, she has more information about 
the key for a given rate of Bob's errors than Alice and Bob found possible when they bet on 
model a, thus vitiating Alice and Bob's attempt to distribute a key secure against undetected 
eavesdropping. 

Whether Eve can implement a measurement of leakage as called for in model f3 with 
r < 1 is unanswerable by modeling; it is a question that requires work on "the other side of 
the divide." The point to be stressed is that the agreement between model a and a set of 
measured results, no matter what results, is no logical guarantee against Eve implementing 
model (3 with a value of r less than 1, or even a value of which would give her the whole 
key while causing no errors for Alice and Bob to detect. 



A. Models involving a defense function 

When noise in communications channels is recognized, privacy amplification is necessary 
to distill a secure key |ll|]. Arguments for the security of quantum key distribution with noisy 



channels, summarized and refined in Refs. [p|, p!2| , p!3| , p!^ , center on a defense function. The 
existence of a defense function depends on a proof (within some model) of a relation between 
Eve's maximum Renyi information on whatever bits she directly or indirectly interrogates 
and a positive contribution to Bob's error rate in receiving bits. 

Defense functions have been analyzed for models of Eve's use of a probe [|15| and without 
restricting Alice's transmission to a choice of only two state vectors. In such a model a, 
Alice chooses one of several state vectors in one Hilbert space ?isig,a while Eve generates a 
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fixed vector in a different Hilbert space 7iprobe,cn and the tensor product of Alice's clioice 
of state vector and Eve's fixed probe vector evolves unitarily in an interaction, after which 
Eve and Bob make measurements, Eve confined to the probe sector and Bob to the signal 
sector. Like segmented models, probe models relate Eve's information to Bob's error rate 
in such a way that Bob's error rate depends on inner products ascribed to the state vectors 
among which Alice chooses; in particular if the inner products for distinct signal vectors are 
all zero. Eve can learn everything without causing any effect that Alice and Bob can detect. 

The Appendix displays consequences of leakage of Alice's transmission for models involv- 
ing Eve's use of a probe: just as for models that segment the transmission, the state vectors 
used to model Alice's transmission are model-dependent, and so are their inner products. 
To see the consequence for defense functions, suppose that Alice and Bob use model a which 
assumes that Alice chooses between state vectors |fo(0)) and with inner product 

having a magnitude Sa = | (fa(l)|va(0)) |. Assuming model a, Alice and Bob determine a 
defense function t{n,eT), as discussed in [|12|; in order to mark its dependence on model a 
and especially its dependence on the inner product of Sa, we write this as ta{n, ex, So). For 
any such model a and whatever the measured results with which it accords, we can show 
a model f3 that agrees with model a insofar as these results are concerned, but disagrees 
with it about predictions of the detectability of Eve's eavesdropping, because in place of the 
inner product (s) of model a, model (3 has inner product (s) smaller by our choice of r, for 
any < r < 1. 

Proposition 2 If a model a asserts that Alice and Bob can distill a key that is secure 
against measurements commanded by Eve from a set of commands Ea, then there exists 
another model (3 that matches the predictions of model a for the commands in Ea but that 
makes additional commands available to Eve that make the key insecure. 

To prove this, one uses Proposition 3 of the Appendix that envelops any model a with a 
model 13 in which Sf^ = rSa with r as small as one pleases. The effect of making Sf^ smaller 
than Sa is visible for the case of B92 models in Figure 4 of |]T2[, where S^^ is denoted (in 
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notation with which our notation regrettably clashes) by sin 2a. One sees that as Sp gets 
smaller, tp gets bigger, so that at any fixed error rate, one can determine an r for which 



model /3 allows no distilled secure key. For the BB84 model as discussed in [|T2l, the effect 
of r -C 1 in an enveloping model (3 is to conflict with the BB84 model in such a way as to 
increase t and allow undetected eavesdropping. 

Thus, just as for segmented eavesdropping discussed above. Eve can try to implement 
a model {3 which drastically increases what she can learn for a given error rate. Again, 
whether she can succeed in implementing such a model is another question, on the other 
side of the divide that runs through the CPC's between models and instruments. No matter 
what measured results they stand on, Alice and Bob always face a choice between a model a 
and an enveloping model (3 that challenges the security asserted by model a. Because both 
models make identical predictions about probabilities that connect with the measured data, 
Alice and Bob face a choice that no combination of logic and their flxed set of measured 
results can decide. They must make a judgment, or, to put it baldly, they must make a guess 
and act on it |^. 



V. MODULATION OF CLOCK RATE TO IMPROVE SECURITY 

While Alice and Bob may view their need for guesswork and judgment as bad news, 
they can put this need to good use if their system designer Diana recognizes that Eve is in 
the same boat: she too must act on guesswork. Recognizing this, Diana can design a key 
distribution system with features that make it harder for Eve to snoop. 

As discussed in Section III, to accord with model a, any receiver whether Bob's or 
Eve's, must maintain close synchrony with Alice's transmission in order to function. In both 
the segmented and the probe cases discussed above, the models a and j3 can accord with 
measured results only if Bob's and Eve's receivers work in accord with enveloping models 
similar to model 5 that expresses clock skew contained within an allowed leeway. Recall that 
model 5 describes a receiver as parsing its results for each of Alice's bits into two parts, one 
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indicating '0', '1', or 'inconclusive', the other indicating skew to be contained by adjusting 
the faster-slower lever of Bob's clock, and, like Bob's receiver, Eve's must do this to make 
eavesdropping measurements at times that work.! 

We suggest that Diana try to design Alice's transmitter and Bob's receiver to make 
the parsing by Eve's receiver impossible without use of prior information that Alice has also 
encoded, and that Bob has better access to than does Eve. The idea is for Alice's transmitter 
to be timed by a clock whose rate is intentionally randomly varied rapidly and over a wide 
range, and for Alice to encrypt indications of coming rate variations in her transmission to 
Bob. The eavesdropping problem is different (and harder) for these rate variations than 
for the key because they are more perishable. Quantum-mechanical models assert that the 
operation of the faster-slower lever on Eve's receiver cannot be corrected ex post; that is, if 
she intercepts Alice's signal and records it using a receiver clock unsynchronized to Alice's 
transmission, there is no way to reconstruct from her record what she would have received 
with a synchronized clock. 

VI. GENERALIZATION 

Extending the proof in |]l| that guesswork is necessary to the linking of quantum models 
to results of instruments, we have introduced the concept of enveloping models to prove that 
for any quantum-mechanical model a of key distribution there exists an enveloping model f3 
that agrees with a for commands dealt with by a, but encompasses other possibilities, and 
leads to conclusions about security that conflict with those implied by model a. By drawing 
on the quantum-mechanical separation of states and outcomes, this proof used more than 
was really necessary. All that is necessary is the separation made in quantum mechanics 
between what happens at an occurrence of a measure, an outcome, and what might have 



^In the segmented case, Bob, unaware, synchronizes his receiver to Eve's re-transmission, even 
though he supposes he is synchronizing with Alice's transmission. 
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happened, expressed as the set of possible outcomes. This separation is found not only in 
quantum mechanics, but in any statistical theory, and in particular in the usual electrical 
engineering of "non-quantum" systems, based on Maxwell's electromagnetics to which one 
adjoins ideas of noise or the generation of random signals. In this non-quantum framework, 
the statistical outlook alone allows one to introduce CPC's as a medium in which to see a 
divide between models and instruments within the CPC's that manage both. Doing this, 
one puts the statements of a model in the form PrQ,(j|6^, 6^;). Then Propositions 1 and 2 
can be proved without resort to quantum mechanics, so again the issues considered above 
arise: (a) what else might Eve measure that a model used by Alice and Bob has failed to 
account for, and (b) how might clock pumping help Alice and Bob? Thus the uncloseable 
possibility of enveloping any model a by another model (3 that expresses extra conditions of 
the use of instruments is no peculiarity of using quantum rather than non-quantum models; 
it is endemic to any cryptographic modeling that invokes probabilities. 
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APPENDIX A: LEAKAGE CHANNEL IN CASE EVE USES A PROBE 



This appendix proves for the case of Eve using a probe the analog of Proposition 1: if one 
model with its inner products predicts a set of probabilities for outcomes, so does another 
model having smaller inner products. (Thus, as in the segmented case, inner products 
depend on a choice of model undetermined by measured data.) The proof here makes no 
requirement that Alice choose among only two state vectors; she can choose from a set of 
any size. Transposing to the CPC-context a model expressing Eve's use of a probe 0, one 
obtains a model a that assumes: 

1. a set of Alice's commands Aa] 

2. a Hilbert space 7isig,a for Alice's signals and a disjoint Hilbert space 7iprobe,a for Eve's 
probe; 

3. a function assigning Alice's states to commands (here only Alice's commands), \va) '■ 

4. a fixed starting state for Eve's probe of Icq,) G Hprobe.a; 

5. a set Ea of Eve's possible commands to her measuring instruments; 

6. unitary operators UaipE) for hE G acting on the product Hilbert space Tiprobe.a ® 
Hsig^a for the interaction of Eve's probe with Alice's signal; 

7. a set Oe of possible outcomes of Eve's measurements, indexed by Je] 

8. for each of Eve's commands Be G E^, a POVM ME^aibs) with detection operators 

ME,aibE;jE) that act on Hprobe,a; 

9. a POVM for Bob's receiver acting on Hsig,a, with possible outcomes indexed by Jb and 
detection operators MbUb)- 
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This produces a quantum mechanical model a in which 



Pra{jB,jE\bA,bE 



K(MI(ea|^I(M[^^B(jB)®M^,(6E;jE)]t/a(M|ea|)|fa(M)- 



(Al) 



Proposition 3 Given any such (probe) model a with inner products {va{bA)\va{b'Jl^)) and 
any < r < 1, there is a model (5 that gives the same conditional probabilities of Eve's and 
Bob's outcomes for each command bE G E^ and for all of Bob's commands, so 



Proof. The proof extends the construction used in the proof of Proposition 1, with a model 
13 defined by 

1. the same command set for Alice: Ap = A^] 

2. signals expressed by a vector intended by Alice, as in model a, tensored in to an 
unintended vector in an additional Hilbert space Tiieaki so Alice produces vectors 

\vi3{bA)) = \wp{bA)) ® \Voc{bA)), with |w/3(&a)) e V-leak] 

3. a fixed starting state for Eve's probe of le^) G 7iprobe,a; 

4. a larger set of commands for Eve, Efj — E^V^ Eextva (disjoint union); 

5. unitary operators UpipE) acting on 'Hieak ® 'Hprobe.a ®'Hsig,a for the interaction of Eve's 
probe with Alice's signal, defined so that 



(V6a e 6e e £'a)Pr^(j£;|6A, 



) = Pra(jE|6A,&E 



(A2) 



while 



(ybA ^ yA)\{vA^A)W{yA))\ = r\{v^{bA)W{yA))\- 



(A3) 




Eve's choice of unitary U^ifjE) if &e G E^ 




'extra i 



(A4) 
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6. a POVM-valued function of Eve's commands to her measuring instruments, with de- 
tection operators defined so 



Mp{hE\3E) 



1 ® M^{hE\ Je) for all hE G 

Eve's choice of POVM on (A5) 



According to model /3, if Eve chooses any measurement command of E^, Eq. ( [A2[ ) holds. 
But model f3 speaks not of the vectors |fa(&A)) but of other vectors having an inner product 
(relevant to the security of quantum key distribution) of 

\MbA)\vp{b'M = \{w{bA)\w{b'^))\\{v^{b^)Mb'A))l (A6) 

The unit vectors \w{bA)) can be specified so that \w{bA)) = r^^'^\u(bA)) + (1 — r)\uQ), with 
(M(6yi)|'u(6^)) = for all 6^ 7^ 6^ and {u{bA)\uo) = for all 6^ G A^. With this specification 
Eq. holds, and furthermore r can be chosen as small as one wishes. □ 
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